6 Cryptographic Commands
You can use the cryptographic commands to encrypt and decrypt the provided data using the Oracle Key Vault managed security objects.
- okv crypto data decrypt Command
Theokv crypto data decrypt
command performs a decrypt operation on the given ciphertext data using the Oracle Key Vault managed security object that is within the Oracle Key Vault server, and returns the decrypted data. - okv crypto data encrypt Command
Theokv crypto data encrypt
command performs an encrypt operation on the given plaintext data using the Oracle Key Vault managed security object that is within the Oracle Key Vault server, and returns the encrypted data.
6.1 okv crypto data decrypt Command
The okv crypto data decrypt
command performs a decrypt operation on the given ciphertext data using the Oracle Key Vault managed security object that is within the Oracle Key Vault server, and returns the decrypted data.
Required Authorization
The endpoint must have read permission on the key used for the decryption.
Syntax
okv crypto data decrypt --uuid UUID --data file_path --block-cipher-mode block_cipher_mode --padding padding --iv file_path --authenticated-encryption-additional-data file_path --authenticated-encryption-tag file_path --data-format data_format --decrypted-data output_file_path
JSON Input File Template
{ "service": { "category": "crypto", "resource": "data", "action": "decrypt", "options": { "uuid": "#VALUE", "data" : "#VALUE", "blockCipherMode" : "#CBC|ECB|CFB|OFB|GCM", "padding" : "#NONE|ZEROS|PKCS5", "iv" : "#VALUE", "authenticatedEncryptionAdditionalData" : "#VALUE", "authenticatedEncryptionTag" : "#VALUE" "dataFormat": "#HEX|BASE64", "decryptedData": "#VALUE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Required |
Universally unique ID (UUID) of the key to use for the decryption. To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column. |
|
Required |
File path to the ciphertext data that needs to be decrypted |
|
Optional |
Block Cipher Mode. Values are as follows:
If you omit this setting, then Oracle Key Vault uses the cryptographic parameters that are associated with the key. |
|
Optional |
Padding. Values are as follows:
If you omit this setting, then Oracle Key Vault uses the cryptographic parameters that are associated with the key. |
|
Optional |
File path of the initialization vector (IV) to use for the decrypt operation. You must use the same initialization vector that was used during encryption. |
|
Optional |
File path of authenticated encryption additional data to use for the decrypt operation. You must specify the same authenticated encryption additional data that was used during encryption. |
|
Optional |
File path of the authenticated encryption tag to use for the decrypt operation. You must specify the same authenticated encryption tag that was generated during encryption. |
|
Optional |
Data format. Format of the data in input and output files. If not specified, data is read and written as binary data. Values are as follows:
|
|
Required |
File path where the decrypted data is written. If the provided output file does not exist, then an error results. If the file is present, then it is overwritten with the decrypted data. |
JSON Example
- Generate JSON input for the
okv crypto data decrypt
command.okv crypto data decrypt --generate-json-input
The generated input appears as follows:
{ "service": { "category": "crypto", "resource": "data", "action": "decrypt", "options": { "uuid": "#VALUE", "data" : "#VALUE", "blockCipherMode" : "#CBC|ECB|CFB|OFB|GCM", "padding" : "#NONE|ZEROS|PKCS5", "iv" : "#VALUE", "authenticatedEncryptionAdditionalData" : "#VALUE", "authenticatedEncryptionTag" : "#VALUE" "dataFormat": "#HEX|BASE64", "decryptedData": "#VALUE" } } }
- Save the generated input to a file (for example,
key_decrypt.json
) and then edit it to include the decryption settings that you want. For example:{ "service": { "category": "crypto", "resource": "data", "action": "decrypt", "options": { "uuid": "2359E04F-DA61-4F7C-BF9F-913D3369A93A", "data" : "/okv/opt/data", "blockCipherMode" : "GCM", "padding" : "ZEROS", "iv" : "/okv/opt/iv", "authenticatedEncryptionAdditionalData" : "/okv/opt/keys/authenticatedEncryptionAdditionalData", "authenticatedEncryptionTag" : "/okv/opt/keys/authenticatedEncryptionTag", "dataFormat": "HEX", "decryptedData": "/okv/opt/keys/decrypted_data" } } }
- Run the
okv crypto data decrypt
command using the generated JSON file.okv crypto data decrypt --from-json key_decrypt.json
Output similar to the following appears:
{ "result" : "Success", "value" : { "decryptedData" : "/okv/opt/keys/decrypted_data" } }
Parent topic: Cryptographic Commands
6.2 okv crypto data encrypt Command
The okv crypto data encrypt
command performs an encrypt operation on the given plaintext data using the Oracle Key Vault managed security object that is within the Oracle Key Vault server, and returns the encrypted data.
Required Authorization
The endpoint must have read permission on the key used for the encryption.
Syntax
okv crypto data encrypt --uuid UUID --data file_path --block-cipher-mode block_cipher_mode --padding padding --random-iv random_iv --iv file_path --authenticated-encryption-additional-data file_path --data-format data_format --encrypted-data output_file_path --iv-out output_file_path --authenticated-encryption-tag output_file_path
JSON Input File Template
{ "service": { "category": "crypto", "resource": "data", "action": "encrypt", "options": { "uuid": "#VALUE", "data" : "#VALUE", "blockCipherMode" : "#CBC|ECB|CFB|OFB|GCM", "padding" : "#NONE|ZEROS|PKCS5", "randomIV" : "#TRUE|FALSE", "iv" : "#VALUE", "authenticatedEncryptionAdditionalData" : "#VALUE", "dataFormat": "#HEX|BASE64", "encryptedData": "#VALUE", "ivOut": "#VALUE", "authenticatedEncryptionTag" : "#VALUE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Required |
Universally unique ID (UUID) of the key to use for the encryption. To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column. |
|
Required |
File path to the plaintext data that needs to be encrypted |
|
Optional |
Block Cipher Mode. Values are as follows:
If you omit this setting, then Oracle Key Vault uses the cryptographic parameters that are associated with the key. |
|
Optional |
Padding. Values are as follows:
If you omit this setting, then Oracle Key Vault uses the cryptographic parameters that are associated with the key. |
|
Optional |
Indicates whether the Oracle Key Vault server should use random initialization vector (IV). Values are as follows:
Oracle Key Vault uses the |
|
Optional |
File path of the IV to use for the encrypt operation. If you include the IV file path in the |
|
Optional |
File path of authenticated encryption additional data to use for the encrypt operation. If you include the authenticated encryption additional data file path in the |
|
Optional |
Data format. Format of the data in input and output files. If not specified, data is read and written as binary data. Values are as follows:
|
|
Required |
File path where the encrypted data is written. If the provided output file does not exist, then an error results. If the file is present, then it is overwritten with the encrypted data. |
|
Optional |
File path where the response IV is written. If the provided output file does not exist, then an error results. If the file is present, then it is overwritten with the response IV. The IV is returned in If you include the response IV file path in the |
|
Optional |
File path where the response authenticated encryption tag is written. If the provided output file does not exist, then an error results. If the file is present, then it is overwritten with the response authenticated encryption tag. The authenticated encryption tag that is returned should be used for decrypting the cipher text. If you include the response authenticated encryption tag file path in the |
JSON Example
- Generate JSON input for the
okv crypto data encrypt
command.okv crypto data encrypt --generate-json-input
The generated input appears as follows:
{ "service": { "category": "crypto", "resource": "data", "action": "encrypt", "options": { "uuid": "#VALUE", "data" : "#VALUE", "blockCipherMode" : "#CBC|ECB|CFB|OFB|GCM", "padding" : "#NONE|ZEROS|PKCS5", "randomIV" : "#TRUE|FALSE", "iv" : "#VALUE", "authenticatedEncryptionAdditionalData" : "#VALUE", "dataFormat": "#HEX|BASE64", "encryptedData": "#VALUE", "ivOut": "#VALUE", "authenticatedEncryptionTag" : "#VALUE" } } }
- Save the generated input to a file (for example,
key_encrypt.json
) and then edit it to include the encryption settings that you want. Keep a record of the values that you use during encryption along with the generated ivOut and authenticatedEncryptionTag, if any. You must provide the same values when decrypting the ciphertext. For example:{ "service": { "category": "crypto", "resource": "data", "action": "encrypt", "options": { "uuid": "2359E04F-DA61-4F7C-BF9F-913D3369A93A", "data" : "/okv/opt/data", "blockCipherMode" : "GCM", "padding" : "ZEROS", "iv" : "/okv/opt/iv", "authenticatedEncryptionAdditionalData" : "/okv/opt/keys/authenticatedEncryptionAdditionalData", "dataFormat": "HEX", "encryptedData": "/okv/opt/keys/encrypted_data", "authenticatedEncryptionTag" : "/okv/opt/keys/authenticatedEncryptionTag" } } }
- Run the
okv crypto data encrypt
command using the generated JSON file.okv crypto data encrypt --from-json key_encrypt.json
Output similar to the following appears:
{ "result" : "Success", "value" : { "encryptedData" : "/okv/opt/keys/encrypted_data" "authenticatedEncryptionTag" : "/okv/opt/keys/authenticatedEncryptionTag" } }
Parent topic: Cryptographic Commands